Lists

Open Menu Close Menu

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: Firewall rule for X11 usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall rule for X11 usage

Subject: Re: Firewall rule for X11 usage
From: John Harper <email@hidden>
Date: Thu, 16 Jan 2003 13:19:52 -0800

On Thursday, January 16, 2003, at 12:03 PM, Sean Ahern wrote:

X11 has a good per-user authentication mechanism called xauth. Do not use the older "xhost", as it only does per-machine authentication. See other posts in this thread for details about how to set up xauth. If you use xauth authentication, opening ports 6000-6063 is not a security hole.

Xauth is very basic. When using the MIT-MAGIC-COOKIE-1 scheme the authentication is done by sending a random number known to both server and client across the network. If the numbers match, the connection is allowed. However, the number is sent unencrypted, so it's possible for anyone watching the network stream to capture the random number and connect to your server.

Also, the data sent across the connection isn't encrypted either, so even if the authentication method is secure, eavesdroppers can still see everything sent between server and client, e.g. the keys you type.

So in summary, if you're connecting across an unsecure network use ssh.

	John
_______________________________________________
x11-users mailing list | email@hidden
Help/Unsubscribe: http://www.lists.apple.com/mailman/listinfo/x11-users
Do not post admin requests to the list. They will be ignored.

References:
	>Re: Firewall rule for X11 usage (From: Sean Ahern <email@hidden>)

Prev by Date: How to set ModulePath?
Next by Date: Re: pasting with wheel mouse
Previous by thread: Re: Firewall rule for X11 usage
Next by thread: X11-users Archives available
Index(es):
- Date
- Thread